Exploiting Insecure File Handling Nature: Analysis Of File-Upload Vulnerablities In Web Applications

!!!! Bi-Annual Double Blind Peer Reviewed Refereed Journal !!!!

!!!! Open Access Journal !!!!


Ashutosh Bahuguna, Scientist, Department of Electronics & IT (DeitY)


This paper will present the one of the major threat to web-application security: Insecure file upload vulnerabilities including weak checks and controls exploited by the attackers to upload webshell for the complete compromise of the web-server. It was observed on the log analysis and vulnerability assessment of the website penetrations that insecure file-upload feature of web- applications is one of the major threat and compromised by attackers frequently. Web-application developers using different controls and checks for safe file upload are not adequate and can be easily bypassed. Web shell is a backdoor which gain complete access to a computer system through a dynamic server side web page in an undocumented way. Webshell creates a remote accessible interface that allow execution of malicious functions on web server. Once the attacker successfully planted these web shell code on a web server, it is possible to do any sort of malicious activities ranging from defacing a website to hosting a command & Control (C & C) server. This paper will discuss file-upload weaknesses and techniques to bypass checks and controls implemented on the web-application for file-upload. A web-application is developed for purpose of study & demonstration of effectiveness of different controls and checks implemented in defaced/compromised web-applications incidents involving malicious file upload.

No votes yet